Support User Manuals

Cisco Systems ASA 5555-X Network Router User Manual

Open as PDF

of 712

2-6

Cisco ASA Series Firewall CLI Configuration Guide

Chapter 2 Configuring Special Actions for Application Inspections (Inspection Policy Map)

Identifying Traffic in an Inspection Class Map

Restrictions

Not all applications support inspection class maps. See the CLI help for class-map type inspect for a

list of supported applications.

Detailed Steps

Examples

The following example creates an HTTP class map that must match all criteria:

ciscoasa(config-cmap)# class-map type inspect http match-all http-traffic

ciscoasa(config-cmap)# match req-resp content-type mismatch

ciscoasa(config-cmap)# match request body length gt 1000

ciscoasa(config-cmap)# match not request uri regex class URLs

The following example creates an HTTP class map that can match any of the criteria:

ciscoasa(config-cmap)# class-map type inspect http match-any monitor-http

ciscoasa(config-cmap)# match request method get

ciscoasa(config-cmap)# match request method put

ciscoasa(config-cmap)# match request method post

Command Purpose

Step 1

(Optional)

Create a regular expression.

See the general operations configuration guide.

Step 2

class-map type inspect application

[match-all | match-any] class_map_name

Example:

ciscoasa(config)# class-map type inspect

http http_traffic

ciscoasa(config-cmap)#

Creates an inspection class map, where the application is the

application you want to inspect. For supported applications, see

the CLI help for a list of supported applications or see Chapter 9,

“Getting Started with Application Layer Protocol Inspection.”

The class_map_name argument is the name of the class map up to

40 characters in length.

The match-all keyword is the default, and specifies that traffic

must match all criteria to match the class map.

The match-any keyword specifies that the traffic matches the

class map if it matches at least one of the criteria.

The CLI enters class-map configuration mode, where you can

enter one or more match commands.

Step 3

(Optional)

description string

Example:

hostname(config-cmap)# description All UDP

traffic

Adds a description to the class map.

Step 4

Define the traffic to include in the class by

entering one or more match commands available

for your application.

To specify traffic that should not match the class map, use the

match not command. For example, if the match not command

specifies the string “example.com,” then any traffic that includes

“example.com” does not match the class map.

To see the match commands available for each application, see

the appropriate inspection chapter.

previous next